Security Settings (WS)

Owned by Former user (Deleted)
Last updated: Feb 09, 2023 by Benjamin Schröder
5 min read

Security may be turned on or off per web service instance. In order to activate the security, please follow this guide.

Please oben the web user interface of tia Webservice and click on the gear symbol in the actions column of the webservice instance you wish to activate security for. This will open the configuration of the instance.

tia Web Service UI with highlighted gear-symbol in the Action column.

Please switch to the tab Security and tick the checkbox of the option UseSecurity.

Three types of security are being supported.

  1. Checking, if the application’s name is signed

  2. Sending read-/write-operations using configured certificate

  3. Permission regarding content server operations (serverinfo, info, create, delete and get)

Signing an application’s name

Three fields should be configured in order to verify that the application name is signed.

  1. PublicKeystore Path (May be found here OSGi → Configuration → WebService MainConfiguration

  2. PublicKeystore Password (May be found here *OSGi → Configuration → WebService MainConfiguration)

  3. PublicStoreAlias (Main → tia Web Service → Instance name → Gear-symbol → Security-tab → PublicStoreAlias

You may configure a keystore which consists of one or many certificates (with public keys). When a seckey is received by an instance, seckey’s signature will be verified against the alias configured at the web service’s instance configuration.

After enabling the UseSecurity setting and configuring a keystore alias, the signing of the application’s name will be verified using the public key mapped against the alias in the specified keystore.

Please note: It’s necessary to restart the instance in order for the security settings to take effect.

Using a certificate

The option Certificate within the Security-tab ( Main → tia Web Service → Gear-symbol in the Actions column of the instance) allows you to use different types of certificates. Currently you may choose from the following types.

  • KGS

  • ID3

  • none

Please note: In case the remote content server does not contain any certificate, you may send a certificate from a specific web service instance, by clicking the key-symbol.

tia Web Service UI with highlighted “Send certificate”-action.

It’s also possible to send certificates to every web service instance with configured security, by clicking the Send Certificates-button at the bottom of the instance overview.

Configuring permission for Content Server operations

An web service instance may be configured to allow certain or all operations. The following operations are possible.

  • serverinfo: The web service instance allows to execute serverinfo-requests against the defined content server endpoint.

  • info: The web service instance allows to execute info-requests against the defined content server endpoint.

  • create: The web service instance allows to execute create-requests for documents against the content server endpoint.

  • delete: The web service instance allows to execute delete-requests for documents against the defined endpoint

  • get: The web service instance allows to exeute get-requests for documents against the defined endpoint

Please note: These options and permissions work separated from the UseSecurity-option. Therefore the parameter UseSecurity does not has to be enabled.

You may find these options by opening the web userinterface → Main → tia Web Service → Gear-symbol in Actions-column of the instance → Security-tab

Opened web userinterface with highlighted request permission options

Importing a certificate with Public Key

In order to import a certificate with public key, which will be used for verfication, please follow this guide.

Open the web userinterface of the Web Service and go to Main → tia Web Service. Please make sure, that the Public Keystore Path, the PublicKeystore Password as well as the PublicStoreAlias have been configured.

Next to the Web Service instance please click on the Import-icon, which will open a dialog. In this dialog you’ll have enter the alias and locate the certificate by clicking the browse button.

After both have been set, please click on the Import-button.

In case an alias already exist or the certificate is not valid with a public key, an error will be generated.

 

Opened instance overview of Web Service with highlighted “Import”-button and opened “Import Public Key”-modal

 

 

 

Generating a Certificate Send Reuest (CSR)

This allows an instance to generate a certificate send request (CSR) at a specified folder to be signed by the authorized authority (e.g. CA). In order to use this feature please make sure that the following parameters have been configured in the instance.

  • The PrivateKeystore Path

  • The PrivateKeystore Password

  • The OutputCSRDirecotry Path

  • The PrivateStoreAlias

This will generate a CSR file using the name of an Instance. For example, if the instance name is “Cortex”, the CSR file will be “Cortex.csr”. It is expected that the CSR file will be signed by the ap-propriate authority and later a CER file will be sent back. Once the CER file has been received, please import the CER into the public Keystore by following the steps mentioned in 6.4.
CSR attributes must be confirgured before the request can be generated. Important attributes are located at Main -> KGS WebService -> Instance name properties -> Security.

Overriding Common Name

Usually an instance may use a certificate in case the common name (CN) consists of the application name itself. For example, if the application “Cortex” is to use a certificate which has the common name “test.kgs-software.net”, the request will not succeed. However, if the parameter “CNOverride” is configured to use “test”.

In this case, the request will succeed as the application “Cortex” is allowed to use the certificate with the common name, “test”. The PublicStoreAlias should also be configured with the correct alias.

Generating Signed Keys

We have developed a command-line tool to generated signed Text based on the input given by the user which is usually the application Name. However, there is also a possibility of generating the signed text from the GUI of the Framework. The option is located at “Main -> KGS Web Service -> Generate SecKeys” as shown below.

 

Web userinterface with highlighted “Generate SecKeys”-button.

 

 

 

After you click this option, a CSV file will be generated consisting of the application/instance names along with the signed texts (security keys). In order to use this option, following are the prerequisites.

  • The path to the directory should be configured where the CSV file will be generated.
    Found at OSGi → Configuration -> WebService MainConfiguration -> SecurityKey Path

  • The path to a valid Private Keystore along with valid Password have to be configured

  • The PrivateStoreAlias for the respective application name should be configured
    Found at Main -> KGS Web Service -> click on configure for the respective application (instance) -> Security -> PrivateStoreAlias